Parse Server OAuth2 Adapter State Management Vulnerability Allowing Token Validation Misalignment

A vulnerability exists in Parse Server's OAuth2 authentication adapter, affecting versions 9.0.0 prior to 9.6.0-alpha.11 and all versions prior to 8.6.37. The issue arises because the OAuth2 adapter exports a singleton instance that is shared across all OAuth2 provider configurations. This design flaw can lead to a race condition during concurrent authentication requests for different OAuth2 providers. As a result, one provider's token validation might inadvertently use another provider's configuration. This misalignment could allow a token, which should be rejected by one provider, to be accepted based on a different provider's policy. The vulnerability impacts deployments that enable multiple OAuth2 providers using the 'oauth2: true' flag.

Impact

Exploiting this vulnerability could lead to incorrect token validation, allowing tokens to be accepted or rejected based on the wrong OAuth2 provider's policy, potentially bypassing authentication requirements.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.11 or 8.6.37, where this vulnerability has been patched. Instructions for downloading these versions are available on the Parse Server GitHub Releases page.